Guessing https://chromium.googlesource.com/chromium/src/+/1324be868df000cb2e070199ce2d10cd0c5a2706 based on regression range

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Hi xiaochengh@ - mind taking a look while Tokyo base folk are out?

awhalley@: This crash is due to a re-architecting (using the newly introduced class TextOffsetMapping to find word boundaries).

There are on-going patches fixing these cases. See https://chromium-review.googlesource.com/q/owner:yosin+status:open

We will either get them fixed or hide them again by M68 branch.

*** Bulk Edit ***
M67 Stable promotion is coming soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. 

If fix is already merged to M67 and nothing else is pending, pls mark the bug as fixed. Thank you.

xiaochengh@ thanks for the details. Though the regression here was found in 67, which has of course already branched and is going stable soon, so we need action before M68 branch.

*** Bulk Edit ***
M67 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. 

If fix is already merged to M67 and nothing else is pending, pls mark the bug as fixed. Thank you.

Revert on M67 branch, crrev.com/c/1013445
I'm working for M68 now.

http://crrev.com/c/1018923 should fix this issue.

ClusterFuzz has detected this issue as fixed in range 557408:557410.

Detailed report: https://clusterfuzz.com/testcase?key=4503947008802816

Fuzzer: bj_broddelwerk
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00040000010d
Crash State:
  blink::TextOffsetMapping::TextOffsetMapping
  blink::TextOffsetMapping::TextOffsetMapping
  blink::NextWordPosition
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=550102:550107
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=557408:557410

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4503947008802816

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4503947008802816 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot